CVE-2026-42487
Received Received - Intake
I/O Port Access Race Condition in Xen Hypervisor

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Xen Project

Description
HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-42487
EUVD
EUVD-2026-37888
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen From 3.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42487 is a vulnerability in Xen's x86 Hardware Virtual Machine (HVM) I/O port handling. The issue arises because the linked lists used to manage I/O port translations for HVM guests are traversed without proper synchronization while these lists can be changed by the device model. This missing synchronization can lead to inconsistent or unsafe access to these lists.

Only entities controlling HVM guests, such as device models running in stub domains or de-privileged Dom0, can exploit this flaw. ARM systems are not affected, and the vulnerability impacts all Xen versions from 3.2 onwards on x86 systems.

Impact Analysis

Exploitation of this vulnerability can cause a hypervisor crash, resulting in a Denial of Service (DoS) for the entire host system.

In some cases, it may also allow privilege escalation or information leaks, potentially compromising the security of the host and guest systems.

Only users or processes with control over HVM guests can exploit this vulnerability, so the risk depends on the threat model and environment.

Detection Guidance

This vulnerability affects Xen's x86 HVM guests and involves missing synchronization in I/O port list traversal. Detection requires identifying if your system is running a vulnerable Xen version (3.2 or later) on x86 architecture with HVM guests.

Since the vulnerability is related to internal hypervisor data structures and device model behavior, there are no specific network-based detection commands provided.

To check if your system is potentially vulnerable, you can verify the Xen version and the type of guests running:

  • Check Xen version: `xl info | grep xen_version` or `xm info | grep xen_version`
  • List running guests and their types: `xl list` and `xl list -l` to inspect guest configurations for HVM guests

Monitoring for hypervisor crashes or unusual Denial of Service events related to device model I/O port accesses may also indicate exploitation attempts, but no direct commands for detection are provided.

Mitigation Strategies

Immediate mitigation involves applying available patches for the affected Xen versions. Patches such as xsa491.patch for xen-unstable and xsa491-4.21.patch for Xen 4.21.x through 4.17.x are provided.

If patching is not immediately possible, running only PV (Paravirtualized) or PVH (Paravirtualized Hardware Virtual Machine) guests instead of HVM guests mitigates the issue.

Switching to a fully privileged Dom0 device model does not resolve the vulnerability but changes its classification to a design issue, so it is not a recommended mitigation.

Deployment of patches is permitted during the embargo period, even on public-facing systems, but distribution of updated software outside the predisclosure list is restricted.

Compliance Impact

CVE-2026-42487 involves a vulnerability in Xen's x86 HVM I/O port handling that can lead to privilege escalation and information leaks. Such security issues could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart